This page describes how IT and Cyber requirements such as Directives, Contract Clauses, laws, and technical direction are received, evaluated, institutionalized, memorialized, and managed throughout their lifecycle. This page is specific to IT's approach to these issues.
- Directives (CRDs)
- Contract Clauses
- Acquisition Letters and DEAR/FAR Changes
- Technical Direction
- State and Federal Law Changes
- University Policy Changes
Requirements Management Tasks
The Policy, Assurance, and Risk Management Office (PARM) of the CIO is responsible for tracking developing issues which could lead to requirements changes to the Laboratory. This office assesses the potential risk of these changes to the Lab, and devotes effort commensurate with risk and available resources to commenting on and participating in the drafting of requirements. The CIO also participates in the activities directly.
With the CIO, PARM develops lab-wide positions on the impact and cost/benefit of proposed rules. Where necessary, expertise can be engaged from within IT, across the Cyber Enclaves, from the ITC, CPIC, and from broad or targeted stakeholder involvement as appropriate.
Tasks: Response to New Requirements
The PARM is the Point of Contact for all incoming regulatory and related requirements. The PARM maintains awareness of changes in the law and utilizes cross-DOE and cross-UC connections to ensure understanding of changes and impacts.
When a new requirement "arrives" an impact analysis, informed by those conducted during requirements development, is conducted. These vary from informal to formal and will involve stakeholders as necessary.
After consultation with the CIO and stakeholders as required, a strategy for dealing with the requirement is developed (i.e. implementation plan, request for waiver, rejection, P clause, etc).
PARM manages this process to its eventual conclusion. The new requirements are tracked on the Requirements Management pages with notes regarding implementation strategy and impact.
Once accepted, new requirements are integrated into policy documents as required, and practices/procedures are developed with implementing groups.
Tasks: Monitoring and Assurance
A risk-based approach is taken to assurance systems for these requirements. This approach is still in development, but the goal is for all requirements to have "reasonable assurance" mechanisms associated with them. See assurance plans for cyber and IT.